Summary

The git-secrets-scan pipe allows you to scan any repository for secrets that might have been inadvertently committed. This article outlines how to limit your scan to just the most recent commits in a repository, using the git-secrets-scan pipe on Bitbucket Cloud, rather than scanning the entire repository.

Solution

Instead of running the scans on the entire repository, the following 2 options provides a way to run the scan only on latest commits as per the desired requirement. 

• Using git-secrets-scan pipe and clone parameter on YAML:

1. • Adding a clone: depth parameter on your step will only clone the repository to certain depth as defined in your YAML.
   • If the clone depth is added as "1", the repository is cloned only with a depth 1 commit, the same repository is used by the pipe to perform the scan which only scans the latest commit.
   • Sample code as below-

step: 
name: 'Build new'
        clone:
            depth: 1
        script:
           - echo "test"
           - pipe: atlassian/git-secrets-scan:3.1.0 #Version may vary depending latest releases on pipe
             variables:
                    GITLEAKS_EXTRA_ARGS: "--redact --exit-code 0 --gitleaks-ignore-path .gitleaksignore"

• Using the original docker image for secret scanned:
  • Configuring a new step for secret scanning is another approach using the following docker image "zricethezav/gitleaks:latest"
  • The command used in the below script section performs a scan only on the head of the repository although the entire repository is cloned. 
  • Sample YAML looks like below -

         - step: 
             image: zricethezav/gitleaks:latest 
             name: 'Build new'
             script:
                 - gitleaks git -v --redact --exit-code 0 --gitleaks-ignore-path .gitleaksignore --log-opts=HEAD^..HEAD